Privacy policy

Name of the register
The customer and marketing register and newsletter register of Oulu Tourism Ltd (hereinafter referred to as Visit Oulu) stores and processes personal data in accordance with the EU GDPR. We may change this Privacy Policy from time to time and therefore we recommend that you review any changes as appropriate to your needs.

Controller
Oulu Tourism Oy
c/o Radisson Hotel, Hallituskatu 1
90100 Oulu
+358 40 1463150
Business ID: 2339167-3

The person responsible for the register
Yrjötapio Kivisaari / yt@visitoulu.fi

Purpose of processing personal data
Our business is based on legitimate business activities, so we comply with GDPR guidelines on the storage of personal data:

The information we hold about you is lawful, fair and transparent in relation to the processing.
Data is purpose-bound - for example, the information we collect from individuals is only tied to a specific purpose. We will not disclose your data to third parties unless there is a good reason to do so. We only store information that is necessary. We aim to keep our data accurate.
We limit data retention - data has a defined lifetime, after which it is either automatically or routinely deleted unless there is a legal reason to keep it in the archive for longer.
We collect and store information about potential new customers based on customer relationships or business-related information. The main uses of the data are: marketing planning and targeting, marketing reporting and analysis, and customer communications. Visit Oulu uses personal data for direct marketing purposes as permitted by the Data Protection Act. The collection of data on new potential customers is based on business activities.
Data content of the register
We record minimal information about the customer relationship, which typically includes the unique name of the person and/or company and contact information such as email and phone number.

The data collected include:

First name and surname
Contact information (such as company name, contact details, etc.)
Other customer-related textual information
Marketing authorisation or prohibition
Billing information
Data collected through eavesdroppers
Data collected from social media channels
website address
Regular sources of information

Sources of information include:

Google Analytics and web forms on the site
Personal data is collected from the data subject in the course of the controller's own activities in connection with customer matters, including by telephone, online services and customer events.
In addition, for business purposes, for example in relation to acquiring new customers, we may use names, such as those taken from the media, which we may contact for business purposes.

Regular disclosures of data
We use third party services to process and store information that may contain personal data. However, the third parties act purely as processors of personal data and are only entitled to process such data to the extent required for the agreed services, and Visit Oulu remains the sole controller of such data.

We share limited personal information with other parties.

For marketing, we use the services of an external service provider with whom we have a separate contract.

For email marketing, we use Hubspot, Custobar and the newsletter tool, where we store the person's name and email address.

We also use our website to manage customer relationships, where we store the following: the person's name, contact details and actions related to the customer relationship, such as requests for quotes from the site.

Transfer of data outside the EU or EEA
Data is not regularly transferred outside the EU and the European Economic Area.

Principles for the protection of the register
Visit Oulu has appropriate technical and organisational security practices and processes in place to protect personal data from loss, misuse or other similar unlawful access.

The personal data contained in the register will be kept confidential. The use of the register is regulated within the controller's organisation and access to the personal register is restricted in such a way that only those employees who are entitled to access the data stored in the register by virtue of their duties and who need the data for their work are granted access and are authorised to use the data. Staff handling personal data are bound by a duty of confidentiality.

The systems are protected by security software. Access to the system requires each user of the registry to enter a username and password. The server environment is protected by passwords and an appropriate firewall. Communication between the server and the user's computer is encrypted. In addition, the controller's computer network and the hardware on which the register is located are protected by firewalls and other technical measures. The destruction of material containing personal data is carried out in a secure manner.

Inspection rights
You have the right to access your personal data and have inaccurate information about you corrected. You have the right to request the deletion of your personal data, at any time, unless our legitimate interests or a legal requirement prevent the deletion of some personal data. The information will be disclosed to the customer in an intelligible form in writing.

The request for verification is made in writing by e-mail. The identity of the data subject will be verified before the data are disclosed.

The right to request the correction of information
The controller shall correct, erase or complete personal data in the register which are inaccurate, unnecessary, incomplete or outdated for the purposes of processing, on its own initiative or at the request of the data subject. In addition, personal data may be deleted if the customer misuses the service or engages in criminal or other prohibited activities with the help of the service. The data subject should contact the controller by e-mail to correct the information.

The identity of the data subject is verified before the data is provided.

Other rights related to the processing of personal data
The data subject also has the right to prohibit the controller from processing data concerning him or her for the purposes set out in this privacy statement, unless otherwise agreed between the controller and the data subject. Requests for correction of data concerning marketing objections (telephone calls, printed direct marketing, SMS and e-mail) will be sent by e-mail.